Historically, due diligence has mainly been dictated by U.S. Securities and Exchange Commission standards, such as those outlined in recent audits by the SEC’s Office of Compliance Inspections and Examinations.
“With the release of these audits, the amount of detail that is required for hedge-fund managers to meet operational due diligence is growing,” said Grigoriy Milis, chief technology officer at Richard Fleischman & Associates, an outsourced technology provider to hedge funds.
The complexity of the technology section of due-diligence questionnaires has evolved in stages. A decade ago, IT due diligence questionnaires (DDQs) included a few questions surrounding the ‘stability stage’ of network engineering, seeking to confirm that a hedge fund’s infrastructure resided on enterprise-grade hardware and consisted of the key elements necessary to conduct business quickly and reliably.
As firms have moved towards more complex, Internet-connected networks, a ‘redundancy stage’ has come into play to ensure that these networks have disaster recovery technology in place so they are able to continue operating in the event of a hardware or software failure, said Milis.
More recently, a ‘protection stage’ of technology planning has recently been addressed in a majority of inquiries, requiring firms to have the appropriate security measures in place to ensure data assets are not compromised or stolen. A ‘proof stage’ is an emerging trend for technology DDQs.
“Now that a comprehensive picture of the network stability, redundancy, and security have been addressed, investors are beginning to seek detailed proof that technology systems will operate as promised,” said Milis. “We expect to see an increased demand for documentation of technology processes and procedures as well as proof that system functionality is being regularly tested.”
The SEC may soon adopt Regulation Systems Compliance and Integrity (“Regulation SCI”), which it proposed in March 2013 in the wake of several high-profile systems problems in the securities markets, law firm Davis Polk & Wardwell said in a client note.
As proposed, Regulation SCI would impose a series of new technology, control and security requirements on certain self-regulatory organizations, alternative trading systems (“ATSs”), plan processors and exempt clearing agencies.
“The rulemaking also likely will be the SEC’s first major action in the market structure area following two important speeches this summer by SEC Chair Mary Jo White, in which she articulated an ambitious agenda of regulatory initiatives focused on a number of complex market structure issues,” sad Davis Polk. “The contours of Regulation SCI and the Commissioner statements at the open meeting may also provide clues about the SEC’s potential next steps in this area.”